IPTables is a text based frontend for the ipchains kernel module. The ipchains support is compiled into most kernels of todays distributions. With iptables you don’t have to use a graphical tool. So it’s very suitable for scritpting.
First thing to do is installing neccessary packages, for Ubuntu / Debian:
apt-get update
apt-get install iptables
When the package is installed, create a file inside /etc/init.d/ called iptables (or whatever you want). Copy paste the lines below into.
########################################
#!/bin/sh
# iptables start/stop script
# location /etc/init.d/iptables
########################################
PATH=/bin:/sbin:/usr/bin:/usr/sbin
TABLEBIN=/sbin/iptables
#
# INPUT - SERVICES
#
IN_TCP_SERVICES="80 443 25 110 995 21" # http https smtp pop3 SSL/TLS ftp
IN_UDP_SERVICES=""
#
# OUTPUT - SERVICES
#
OUT_TCP_SERVICES="80 443 25 43 2703 21" # http https smtp whois razor ftp
OUT_UDP_SERVICES="53 123" # DNS ntp
if ! [ -x $TABLEBIN ]; then
echo "IPTABLES does not exists"
exit 0
fi
With the INPUT/OUTPUT section, you’re able to define your services like http or smtp for remote access. Chmod file to 755 and ensure root to be the owner.
chmod 755 /etc/init.d/iptables
chown root:root /etc/init.d/iptables
Check and try the script. If iptables isn’t installed correctly, you wil get an error statement. Next step, calling iptables statements. Append following lines into the iptables script:
#
# start firewall
#
fw_start ()
{
# deny all
$TABLEBIN -P INPUT DROP
$TABLEBIN -P OUTPUT DROP
# common
$TABLEBIN -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$TABLEBIN -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# allow mysql from special IP adresses
$TABLEBIN -A INPUT -p tcp -s xxx.xxx.xxx.xxx --dport 3306 -j ACCEPT # MYSQL for clients
$TABLEBIN -A OUTPUT -p tcp -s xxx.xxx.xxx.xxx --dport 3306 -j ACCEPT # MYSQL for clients
# allow always
$TABLEBIN -A INPUT -p tcp --dport 2222 -j ACCEPT # ssh on port 2233
$TABLEBIN -A INPUT -i lo -j ACCEPT
$TABLEBIN -I INPUT -s 127.0.0.1 -j ACCEPT
$TABLEBIN -I OUTPUT -s 127.0.0.1 -j ACCEPT
# deny special bad ip adresses
$TABLEBIN -I INPUT -s xxx.xxx.xxx.xxx -j DROP # deny, because of ...
$TABLEBIN -I INPUT -s xxx.xxx.xxx.xxx -j DROP # deny, because of ...
$TABLEBIN -I INPUT -s xxx.xxx.xxx.xxx -j DROP # deny, because of ...
# INPUTS
if [ -n "$IN_TCP_SERVICES" ] ; then
for PORT in $IN_TCP_SERVICES; do
$TABLEBIN -A INPUT -p tcp --dport ${PORT} -j ACCEPT
done
fi
if [ -n "$IN_UDP_SERVICES" ] ; then
for PORT in $IN_UDP_SERVICES; do
$TABLEBIN -A INPUT -p udp --dport ${PORT} -j ACCEPT
done
fi
# OUTPUTS
if [ -n "$OUT_TCP_SERVICES" ] ; then
for PORT in $OUT_TCP_SERVICES; do
$TABLEBIN -A OUTPUT -p tcp --dport ${PORT} -j ACCEPT
done
fi
if [ -n "$OUT_UDP_SERVICES" ] ; then
for PORT in $OUT_UDP_SERVICES; do
$TABLEBIN -A OUTPUT -p udp --dport ${PORT} -j ACCEPT
done
fi
}
The ssh port is binded to another one, because of improving security.
The last step to complete the script is the stopping call:
#
# stop firewall
#
fw_stop ()
{
$TABLEBIN -F
$TABLEBIN -t nat -F
$TABLEBIN -t mangle -F
$TABLEBIN -P INPUT ACCEPT
$TABLEBIN -P FORWARD ACCEPT
$TABLEBIN -P OUTPUT ACCEPT
}
case "$1" in
start)
echo -n "starting firewall.."
fw_stop
fw_start
echo "done."
;;
stop)
echo -n "stopping firewall.."
fw_stop
echo "done."
;;
*)
echo "Usage: $0 {start|stop}"
exit 1
;;
esac
exit 0
Now you start your iptables script with
/etc/init.d/iptables start
/etc/init.d/iptables stop
To start the script on booting process, put into the runlevel configuration (Debian/Ubuntu):
update-rc.d timWall start 40 S . stop 89 0 6 .
Be careful!! Test it before manually, because you could block yourself out of the system. Firewall architecture with a DMZ:
Source: http://www.basic-security.com/MEDIA/US/RESEAU-DMZ.jpg
iptables.gz (unknown, 601 hits)
Useful links:
- (iptables – Die Firewall des Kernel 2.4 von Wolfgang Kinkeldei)
http://www.pro-linux.de/NB3/artikel/2/print/761/6,6iptables-die-firewall-des-kernels-24.html - (iptables script generator from Tarjei Mandt)
http://www.mista.nu/iptables/
Michael Kolb » Blog Archive » Changing ssh port
December 1st, 2008
[...] Setting up a firewall with iptables to improve systems security will bei shown in this article [...]
nicole@younic
November 26th, 2008
quite complicated – must admit that I don’t understand a bit – but, well, sounds good